b'                  The Certification and Accreditation of\n                 Computer Systems Should Remain in the\n                  Computer Security Material Weakness\n\n                                    August 2004\n\n                       Reference Number: 2004-20-129\n\n\n\n\nThis report has cleared the Treasury Inspector General For Tax Administration disclosure\nreview process and information determined to be restricted from public release has been\n                              redacted from this document.\n\x0c                                     DEPARTMENT OF THE TREASURY\n                                         WASHINGTON, D.C. 20220\n\n\n\n\nINSPECTOR GENERAL\n     for TAX\n  ADMINISTRATION\n\n\n\n\n                                           August 9, 2004\n\n\n       MEMORANDUM FOR CHIEF, MISSION ASSURANCE\n\n\n       FROM:                 Gordon C. Milbourn III\n                             Acting Deputy Inspector General for Audit\n\n       SUBJECT:               Final Audit Report \xe2\x80\x93 The Certification and Accreditation of\n                              Computer Systems Should Remain in the Computer Security\n                              Material Weakness (Audit # 200420005)\n\n\n       This report presents the results of our review of the effectiveness of Internal Revenue\n       Service (IRS) actions to resolve the certification and accreditation vulnerabilities\n       associated with the computer security material weakness. The Department of the\n       Treasury requested that the Treasury Inspector General for Tax Administration (TIGTA)\n       provide an independent assessment of the effectiveness of the IRS\xe2\x80\x99 actions to address\n       the material weakness. This report is from one of five reviews conducted during this\n       fiscal year to meet this request.\n       In summary, the IRS has made commendable progress in certifying its many computer\n       systems, but additional work remains to be performed before this area within the\n       computer security material weakness can be downgraded. The IRS Office of Mission\n       Assurance has initiated efforts to revamp the certification process by placing all IRS\n       systems into one of four categories. As of February 2004, these categories were\n       General Support Systems (29 systems), Major Applications (27 systems), Applications\n       of Interest (31 systems), and Other Applications (312 systems).\n       The Chief, Mission Assurance, established certification requirements for the General\n       Support Systems, Major Applications, and Applications of Interest. Other Applications\n       will be mapped to the appropriate General Support System, and less stringent security\n       self-assessments will be used as a basis to review security in the Other Applications.\n       As of May 2004, 36 (12 percent) of the 312 Other Applications had not yet been\n       mapped.\n       We concur with the overall approach for classifying systems in the new categories\n       based on risks and for developing customized certification requirements for each of the\n\x0c                                                       2\n\ncategories. The IRS is following guidance from the Federal Information Security\nManagement Act1 and the National Institute of Standards and Technology (NIST).2\nHowever, the IRS has not certified and accredited enough systems to downgrade this\narea within the computer security material weakness. As of February 2004, the IRS\nreported that 58 (67 percent) of the 87 General Support Systems, Major Applications,\nand Applications of Interest had been certified. In addition, only 18 (31 percent) of the\n58 certified systems had been accredited. The unaccredited systems are in use by the\nIRS, although no IRS manager has accepted responsibility for the respective systems\xe2\x80\x99\nsecurity. In the past, the IRS has not monitored the accreditation process to ensure\naccreditations were completed and accountability over the systems was maintained.\nThe Office of Mission Assurance has initiated efforts to begin tracking accreditations of\nsystems and when it expects accreditations to be completed, although no formal\nprocess to do this has been established.\nWe recommended the Chief, Mission Assurance, keep the certification and\naccreditation of computer systems as part of the computer security material weakness\nuntil a sufficient number of systems has been certified. We suggested the IRS follow\nthe lead provided by the President\xe2\x80\x99s Management Agenda (PMA),3 which states that at\nleast 90 percent of the systems should be certified and accredited for agencies to get a\n\xe2\x80\x9cgreen\xe2\x80\x9d status. In addition, the Chief, Mission Assurance, should continue mapping\nOther Applications to General Support Systems to ensure all Other Applications are\nincluded in a General Support Systems certification and accreditation, and should\nestablish a formal process to monitor accreditations and report noncompliance, as\nneeded, to the Deputy Commissioners to ensure accreditations are completed.\nManagement\xe2\x80\x99s Response: The Chief, Mission Assurance, disagreed with the\nrecommendation that certification and accreditation remain as part of the computer\nsecurity material weakness. He contended the IRS has exceeded the goal it set in\n2002, to certify and accredit 75 percent of IRS systems known at that time. The Chief,\nMission Assurance, agreed with the other two recommendations. He has developed a\nplan to ensure all Other Applications are correctly mapped to General Support Systems\nand has implemented a process to require accreditation memoranda be returned to his\noffice. This will allow him to ensure accreditations have been completed and to monitor\nand report any noncompliance to the IRS Deputy Commissioners on a yearly basis.\nManagement\xe2\x80\x99s complete response to the draft report is included as Appendix V.\nOffice of Audit Comment: We strongly believe the certification and accreditation of\nsensitive systems should remain as part of the computer security material weakness.\n\n1\n  Pub. L. No. 107-347, Title III, 116 Stat. 2946 (2002).\n2\n  The NIST, under the Department of Commerce, is responsible for developing standards and guidelines, including\nminimum requirements, for providing adequate information security for all Federal Government agency operations\nand assets.\n3\n  The PMA outlines the President\xe2\x80\x99s strategy for improving the management and performance of the Federal\nGovernment. Congressional testimony from the Honorable Karen Evans from the OMB on March 16, 2004,\nreferred to the President\xe2\x80\x99s Management Agenda as an important mechanism for acknowledging agency Information\nTechnology security progress and highlighting significant problems.\n\x0c                                            3\n\nSince 2002, when the IRS established its baseline goal for closing the certification and\naccreditation material weakness area, there have been two significant developments\nthat lead us to conclude this issue has not yet been resolved.\nFirst, agencies\xe2\x80\x99 certification and accreditation performance has received increased\nattention and oversight by the Office of Management and Budget (OMB). The\nExpanding E-Government Scorecard under the PMA has established that 90 percent of\nsystems should be certified and accredited for an agency to receive \xe2\x80\x9cgreen\xe2\x80\x9d status in\nthis area and that 80 percent compliance receive \xe2\x80\x9cyellow\xe2\x80\x9d status. Therefore, we believe\na 75 percent performance measure, while acceptable in 2002, is not in line with the\ncurrent Government-wide goals.\nSecond, the IRS\xe2\x80\x99 systems inventory count in 2002, which served as the baseline for the\n75 percent goal, has proven to be inaccurate. Since that time, IRS management has\nrigorously worked to establish an accurate inventory of systems. As a result, both the\nnumber of systems and the number requiring certification and accreditation have been\nrevised. Based on this more accurate data, and as stated in this report, the IRS had\ncertified 67 percent of its major systems, as of February 2004.\nIn its response, the IRS proposed to close certification and accreditation as a material\nweakness area and then assess the prudence of reopening it as a new material\nweakness. The benefit of this approach is not clear. In our opinion, the weakness has\nexisted for years and has not yet been corrected to meet the goals of the PMA.\nAccordingly, we believe it should remain as part of the computer security material\nweakness and we intend to elevate our disagreement to the Department of the Treasury\nfor resolution.\nThe Deputy Commissioner for Operations Support is responsible for ensuring the IRS\nCommissioner submits a written reply to the Assistant Secretary for Management and\nChief Financial Officer of the Department of the Treasury within 30 calendar days of the\nfinal report issuance date. This reply should explain the IRS\xe2\x80\x99 reasons for the lack of\nagreement with the recommendation contained in this audit report. The IRS\nCommissioner will provide a copy of the reply to the TIGTA. Resolution shall be made\nwithin a maximum of 6 months after issuance of a final TIGTA audit report, in\naccordance with OMB Circular A-50.\nCopies of this report are also being sent to the IRS managers affected by the report\nrecommendations. Please contact me at (202) 622-6510 if you have questions or\nMargaret E. Begg, Assistant Inspector General for Audit (Information Systems\nPrograms), at (202) 622-8510.\n\x0c                     The Certification and Accreditation of Computer Systems\n                    Should Remain in the Computer Security Material Weakness\n\n\n\n\n                                                  Table of Contents\n\n\nBackground ............................................................................................... Page 1\nMore Actions Need to Be Completed Before the Certification\nand Accreditation Material Weakness Area Is Downgraded...................... Page 2\n         Recommendation 1: ...................................................................... Page 8\n         Recommendation 2: ...................................................................... Page 9\n         Recommendation 3: ...................................................................... Page 10\n\nAppendix I \xe2\x80\x93 Detailed Objective, Scope, and Methodology ....................... Page 11\nAppendix II \xe2\x80\x93 Major Contributors to This Report........................................ Page 12\nAppendix III \xe2\x80\x93 Report Distribution List ....................................................... Page 13\nAppendix IV \xe2\x80\x93 Summary of the Certification and Accreditation Process.... Page 14\nAppendix V \xe2\x80\x93 Management\xe2\x80\x99s Response to the Draft Report ..................... Page 16\n\x0c              The Certification and Accreditation of Computer Systems\n             Should Remain in the Computer Security Material Weakness\n\n                               The Federal Managers\xe2\x80\x99 Financial Integrity Act1 requires that\nBackground\n                               each agency conduct annual evaluations of its systems of\n                               internal accounting and administrative control and submit an\n                               annual statement on the status of the agency\xe2\x80\x99s system of\n                               management controls. As part of the evaluations, agency\n                               managers identify control areas that can be considered\n                               material or significant weaknesses.\n                               The Department of the Treasury has defined a material\n                               weakness as, \xe2\x80\x9cshortcomings in operations or systems which,\n                               among other things, severely impair or threaten the\n                               organization\xe2\x80\x99s ability to accomplish its mission or to prepare\n                               timely, accurate financial statements or reports.\xe2\x80\x9d The Office\n                               of Management and Budget (OMB) monitors\xe2\x80\x99 progress on\n                               these weaknesses.\n                               The Department of the Treasury also defines weaknesses of\n                               lesser importance, sometimes referred to as Reportable\n                               Conditions or Significant Control Deficiencies. These are\n                               problematic issues which do not rise to the level of\n                               materiality but which warrant special management attention\n                               to ensure improvement rather than deterioration to the point\n                               at which they become material weaknesses. The OMB does\n                               not monitor progress on these weaknesses.\n                               In 1995, the Internal Revenue Service (IRS) began\n                               monitoring the certification and accreditation process of its\n                               sensitive computer systems as a potential management\n                               control weakness. In 1997, the IRS officially reported it as\n                               a material weakness.\n                               Certification and accreditation, as defined and required by\n                               the OMB for all Federal Government automated information\n                               systems,2 is a process to provide assurance that adequate\n                               security controls are in place over computer systems.\n                               Systems should be certified and accredited before being\n                               implemented and at least every 3 years thereafter or when a\n                               significant change is made that affects the system,\n                               whichever occurs first.\n                               Certification is the comprehensive evaluation of the\n                               technical and non-technical security controls and the\n\n                               1\n                                31 U.S.C.: \xc2\xa7\xc2\xa7 1105, 1113, and 3512 (2000).\n                               2\n                                OMB Circular A-130, Management of Federal Information Resources,\n                               dated February 1996.\n                                                                                         Page 1\n\x0c                 The Certification and Accreditation of Computer Systems\n                Should Remain in the Computer Security Material Weakness\n\n                                  identification of any weaknesses with those controls or lack\n                                  thereof. Accreditation is an authorization granted by a\n                                  management official to operate the system based on the\n                                  evaluation of the security controls. It is a statement that the\n                                  management official (i.e., the accrediting official) is aware\n                                  of, understands, and accepts responsibility for the risks\n                                  associated with placing the system into operation. A\n                                  summary of the certification and accreditation process is\n                                  provided in Appendix IV.\n                                  In October 2002, the IRS consolidated all computer\n                                  security-related material weaknesses, including the\n                                  certification and accreditation of sensitive systems, into one\n                                  material weakness.3 The Department of the Treasury\n                                  requested that the Treasury Inspector General for Tax\n                                  Administration provide an independent assessment of the\n                                  effectiveness of the IRS\xe2\x80\x99 actions to address the overall\n                                  computer security material weakness. This review is one of\n                                  five reviews conducted during this fiscal year to meet this\n                                  request.\n                                  This review was conducted in the Office of Mission\n                                  Assurance facilities at the IRS Headquarters in\n                                  New Carrollton, Maryland, during the period August 2003\n                                  through April 2004. The audit was conducted in accordance\n                                  with Government Auditing Standards. Detailed information\n                                  on our audit objective, scope, and methodology is presented\n                                  in Appendix I. Major contributors to the report are listed in\n                                  Appendix II.\n                                  The IRS has made commendable progress in certifying its\nMore Actions Need to Be\n                                  many computer systems, but additional work remains to be\nCompleted Before the\n                                  performed before this area within the computer security\nCertification and Accreditation\n                                  material weakness can be downgraded. Determining the\nMaterial Weakness Area Is\n                                  number of systems to be certified and accredited has been a\nDowngraded\n\n\n                                  3\n                                   The computer security material weakness consists of nine areas:\n                                  (1) Network Access Controls; (2) Key Computer Applications and\n                                  System Access Controls; (3) Configuration of Software; (4) Functional\n                                  Business, Operating, and Program Units\xe2\x80\x99 Security Roles and\n                                  Responsibilities; (5) Segregation of Duties Between System and\n                                  Security Administrators; (6) Contingency Planning and Disaster\n                                  Recovery; (7) Monitoring of Key Networks and Systems; (8) Security\n                                  Training; and (9) Certification and Accreditation.\n                                                                                                 Page 2\n\x0c The Certification and Accreditation of Computer Systems\nShould Remain in the Computer Security Material Weakness\n\n                  challenge. In addition, a sufficient number of systems has\n                  not been certified and accredited.\n                  Determining the number of systems to be certified and\n                  accredited has been a challenge\n                  When we conducted an audit in this area in January 1999,\n                  the IRS had certified 10 percent of its sensitive systems.4\n                  In May 2002, the certification percentage had increased to\n                  39 percent, based on a follow-up review we performed.5\n                  The IRS established a certification goal of 75 percent by\n                  September 2003 to close this material weakness and\n                  reported to the Department of the Treasury that it had met\n                  this goal.\n                  However, the percentage of systems certified has always\n                  been questionable because the IRS has had difficulty\n                  determining the number of systems to be certified. In\n                  January 2000, the IRS reported it had 258 computer systems\n                  and it has since reported a different number every year, as\n                  reflected in Chart 1.\n                                                    Chart 1\n\n                                       Inventory of IRS Systems\n\n                            700\n                            600                                  569\n                            500\n                                                                         424\n                            400\n                            300     258       269       283\n                            200\n                            100\n                              0\n                                   Jan      May        Oct     Jan      Sept\n                                   2000     2002       2002    2003     2003\n\n\n                  Source: The IRS Office of Mission Assurance.\n\n                  This system inventory fluctuation was a result of the IRS\xe2\x80\x99\n                  own changing interpretation of what it considered a system.\n\n                  4\n                    Certifying the Security of Internal Revenue Service Computer Systems\n                  Is Still A Material Weakness (Reference Number 2000-20-092, dated\n                  June 2000).\n                  5\n                    Although Still Behind in Certifying the Security of Sensitive Computer\n                  Systems, the Internal Revenue Service Has Made Significant Progress\n                  (Reference Number 2002-20-165, dated September 2002).\n                                                                                   Page 3\n\x0c The Certification and Accreditation of Computer Systems\nShould Remain in the Computer Security Material Weakness\n\n                  At its peak in January 2003, the IRS system count consisted\n                  of any computer program that resembled a system. For\n                  example, the inventory included those programs that were\n                  not even information systems, such as spreadsheets and\n                  other personal productivity tools. After a concerted effort to\n                  purify its system inventory number, the IRS reported it had\n                  424 sensitive systems, as of September 2003.\n                  When the IRS reported it had met the 75 percent\n                  certification goal of its sensitive systems, it had based its\n                  accomplishments on the number of sensitive systems known\n                  in October 2002, which totaled 283. The October 2002 date\n                  represented when the IRS and the Department of the\n                  Treasury agreed to the 75 percent milestone. Thus, the IRS\n                  reported that it had certified 232 (82 percent) of\n                  283 systems.\n                  We believe meeting the 75 percent milestone on an outdated\n                  number of systems does not warrant the downgrading or\n                  closing of the certification and accreditation material\n                  weakness area. The IRS operated an additional 141 systems\n                  that were not considered when the IRS calculated its\n                  accomplishments. Therefore, we concluded that, as of\n                  September 2003, the IRS had certified 232 (55 percent) of\n                  424 systems.\n                  The Department of the Treasury recognized the differences\n                  in these accomplishments. In December 2003, it gave the\n                  IRS 60 days to straighten out the count of its sensitive\n                  systems for certification and accreditation purposes. To\n                  meet this mandate as well as to address the certification and\n                  accreditation material weakness area, the IRS planned to\n                  take the following actions:\n                     \xe2\x80\xa2   Establish new system categories based on risk level\n                         and mission criticality, ensuring methodology and\n                         deliverables are consistent with guidance from the\n                         Federal Information Security Management Act\n\n\n\n\n                                                                         Page 4\n\x0c The Certification and Accreditation of Computer Systems\nShould Remain in the Computer Security Material Weakness\n\n                          (FISMA)6 and the National Institute of Standards\n                          and Technology (NIST).7\n                      \xe2\x80\xa2   Establish certification and accreditation\n                          requirements for each of the new system categories.\n                      \xe2\x80\xa2   Certify and accredit systems necessary to downgrade\n                          or close the material weakness area.\n                  To establish new system categories, the Office of Mission\n                  Assurance reevaluated the IRS\xe2\x80\x99 systems inventory to\n                  definitively identify the total number of systems and\n                  developed a new systems categorization methodology.\n                  While conducting this effort, the Office of Mission\n                  Assurance found that some systems were no longer\n                  operational and others could be considered as a subsystem\n                  of another system.\n                  In February 2004, the Office of Mission Assurance\n                  presented its new methodology, which placed 399 systems\n                  into 1 of 4 categories based on risk, defined as follows:\n                  General Support Systems (29 systems) provide necessary\n                  Information Technology infrastructure support to\n                  applications and business functionality. Compromise of\n                  these systems would have a severe adverse effect on the IRS\n                  mission, tax administration functions, and/or employee\n                  welfare. Subcategories consist of telecommunications,\n                  modernization, computing platforms, and other networks.\n                  Major Applications (27 systems) require special attention to\n                  security because of the severe adverse effect that\n                  compromise of these applications would have on the IRS\n                  mission, tax administration functions, and/or employee\n                  welfare. This category includes production modernization\n                  systems, consolidated applications on the same platform,\n                  and financial systems based on size and scope.\n\n\n                  6\n                    Pub. L. No. 107-347, Title III, 116 Stat. 2946 (2002).\n                  7\n                    The NIST, under the Department of Commerce, is responsible for\n                  developing standards and guidelines, including minimum requirements,\n                  for providing adequate information security for all Federal Government\n                  agency operations and assets. NIST Special Publication 800-37, Guide\n                  for the Security Certification and Accreditation of Federal Information\n                  Systems, provides guidelines for executive agencies to help achieve\n                  more secure information systems within the Federal Government.\n                                                                                  Page 5\n\x0c The Certification and Accreditation of Computer Systems\nShould Remain in the Computer Security Material Weakness\n\n                  Applications of Interest (31 systems) do not possess the\n                  level of interest and size or scope of the Major Application\n                  category but require additional levels of control because,\n                  based on business functionality, level of exposure, or third\n                  party interest, compromise would significantly degrade the\n                  IRS\xe2\x80\x99 mission and tax administration operation.\n                  Other Applications (312 systems) do not generally require\n                  additional security safeguards above those provided by the\n                  General Support System.\n                  In establishing certification and accreditation requirements,\n                  the Office of Mission Assurance has proposed procedures\n                  that would assign varying levels of certification\n                  requirements to the four categories. The procedures require\n                  that General Support Systems and Major Applications\n                  receive a full independent certification as well as\n                  accreditation. The procedures specify that Applications of\n                  Interest receive various levels of certification depending on\n                  the results of a risk analysis.\n                  The IRS did not plan to conduct separate testing on the\n                  Other Applications. Instead, it planned to map the Other\n                  Applications to a General Support System and rely\n                  primarily on the security controls existing in the underlying\n                  network of the General Support System, which will be\n                  required to be certified and accredited. As of May 2004, the\n                  IRS had not yet mapped 36 (12 percent) of the 312 systems\n                  in the Other Applications category to a General Support\n                  System.\n                  We also raised concerns with this approach due to the\n                  sensitivity of data on some of the Other Applications and\n                  the need to maintain security controls on the applications as\n                  well as the General Support System.\n                  The Office of Mission Assurance plans to continue\n                  discussions with IRS personnel and to conduct site\n                  visitations to complete this mapping effort, as well as to\n                  ensure all systems in the Other Applications category are\n                  accurately categorized.\n                  In May 2004, the Chief, Mission Assurance, decided that\n                  security self-assessments, as required by the FISMA, would\n                  be conducted for the Other Applications. These\n                  self-assessments, which are less stringent than the\n                                                                         Page 6\n\x0c The Certification and Accreditation of Computer Systems\nShould Remain in the Computer Security Material Weakness\n\n                  certification requirements for the other three categories, will\n                  provide some review of security controls on the Other\n                  Applications.\n                  We concur with the overall approach the IRS is now taking\n                  with the categorization of its systems and its new\n                  certification requirements. This approach will allow the IRS\n                  to focus most of its certification efforts on the General\n                  Support Systems, Major Applications, and Applications of\n                  Interest, while still providing some assessment of controls\n                  on the Other Applications. The approach is substantially\n                  consistent with NIST guidance.\n                  A sufficient number of systems has not been certified\n                  and accredited\n                  The IRS has not certified enough systems to downgrade this\n                  material weakness. As of February 2004, the IRS reported\n                  it had certified 58 (67 percent) of the 87 General Support\n                  Systems, Major Applications, and Applications of Interest.\n                  Once systems have been certified, the Office of Mission\n                  Assurance provides various documents to the accrediting\n                  officials for consideration. These documents include\n                  current system security plans, security assessment reports,\n                  and actions needed to correct deficiencies noted during\n                  testing.\n                  After reviewing certification information, accrediting\n                  officials have three choices. They can:\n                     \xe2\x80\xa2   Submit full authorization to operate as is.\n                     \xe2\x80\xa2   Provide an interim approval to operate pending the\n                         correction of vulnerabilities.\n                     \xe2\x80\xa2   Deny authorization to operate.\n                  We found that accrediting officials were not complying with\n                  the accreditation procedures. Only 18 (31 percent) of the\n                  58 certified systems had been accredited. The unaccredited\n                  systems are already in use by the IRS. However, no IRS\n                  employee is accountable for the security of those systems\n                  that have not been accredited. Consequently, unaccredited\n                  systems are more likely to become operational with known\n                  security vulnerabilities, thus placing the systems and their\n                  data at risk.\n                                                                           Page 7\n\x0c The Certification and Accreditation of Computer Systems\nShould Remain in the Computer Security Material Weakness\n\n                  Business unit system owners are primarily responsible for\n                  accrediting their systems. In the past, the IRS has not\n                  monitored the accreditation process to ensure accreditations\n                  were completed and accountability over the systems was\n                  maintained. While it has no authority over the accreditation\n                  process, the Office of Mission Assurance has initiated\n                  efforts to begin tracking accreditations of systems and when\n                  it expects accreditations to be completed, although no\n                  formal process to do this has been established.\n                  Without an effective certification and accreditation process,\n                  the IRS cannot make informed decisions on the risks\n                  associated with its systems. Until the process provides a\n                  more thorough assessment of risk for systems and\n                  applications, we believe the additional oversight provided\n                  by externally reporting this weakness area is appropriate.\n\n                  Recommendations\n\n                  The Chief, Mission Assurance, should:\n                  1. Keep the certification and accreditation of computer\n                     systems as part of the computer security material\n                     weakness until a sufficient number of systems has been\n                     certified and accredited. We suggest the IRS follow the\n                     Expanding E-Government Scorecard for Information\n                     Technology Security under the President\xe2\x80\x99s Management\n                     Agenda (PMA),8 which states that at least 90 percent of\n                     the systems should be certified and accredited for\n                     agencies to receive \xe2\x80\x9cgreen\xe2\x80\x9d status in this area.\n                  Management\xe2\x80\x99s Response: The Chief, Mission Assurance,\n                  disagreed with this recommendation and contended the IRS\n                  has exceeded the goal it set in 2002, to certify and accredit\n                  75 percent of IRS systems.\n                  Office of Audit Comment: We strongly believe that\n                  certification and accreditation of sensitive systems should\n\n                  8\n                   The PMA outlines the President\xe2\x80\x99s strategy for improving the\n                  management and performance of the Federal Government.\n                  Congressional testimony from the Honorable Karen Evans from the\n                  OMB on March 16, 2004, referred to the President\xe2\x80\x99s Management\n                  Agenda as an important mechanism for acknowledging agency\n                  Information Technology security progress and highlighting significant\n                  problems.\n                                                                                 Page 8\n\x0c The Certification and Accreditation of Computer Systems\nShould Remain in the Computer Security Material Weakness\n\n                  remain part of the computer security material weakness.\n                  Since 2002, when the IRS established its baseline goal for\n                  closing the certification and accreditation material weakness\n                  area, there have been two significant developments that lead\n                  us to conclude this issue has not yet been resolved.\n                  First, agencies\xe2\x80\x99 certification and accreditation performance\n                  has received increased attention and oversight by the OMB.\n                  The Expanding E-Government Scorecard under the PMA\n                  has established that 90 percent of systems should be\n                  certified and accredited for an agency to receive \xe2\x80\x9cgreen\xe2\x80\x9d\n                  status in this area and that 80 percent compliance receive\n                  \xe2\x80\x9cyellow\xe2\x80\x9d status. Therefore, we believe a 75 percent\n                  performance measure, while acceptable in 2002, is not in\n                  line with the current Government-wide goals.\n                  Second, the IRS\xe2\x80\x99 systems inventory number in 2002, which\n                  served as the baseline for the 75 percent goal, has proven to\n                  be inaccurate. Since that time, IRS management has\n                  rigorously worked to establish an accurate inventory of\n                  systems. As a result, both the number of systems and the\n                  number requiring certification and accreditation have been\n                  revised. Based on this more accurate data, and as stated in\n                  this report, the IRS had certified 67 percent of its major\n                  systems, as of February 2004.\n                  In its response, the IRS proposed to close certification and\n                  accreditation as a material weakness area and then assess the\n                  prudence of reopening it as a new material weakness. The\n                  benefit of this approach is not clear. In our opinion, the\n                  weakness has existed for years and has not yet been\n                  corrected to meet the goals of the PMA. Accordingly, we\n                  believe it should remain as part of the computer security\n                  material weakness.\n                  2. Complete the mapping of systems in the Other\n                     Applications category to the General Support Systems to\n                     ensure all Other Applications are included in a General\n                     Support Systems certification and accreditation. Site\n                     visitations should be completed as planned to ensure all\n                     systems, including Other Applications, have been\n                     appropriately categorized and receive the necessary\n                     certification attention.\n\n\n                                                                         Page 9\n\x0c The Certification and Accreditation of Computer Systems\nShould Remain in the Computer Security Material Weakness\n\n                  Management\xe2\x80\x99s Response: The Chief, Mission Assurance,\n                  agreed with this recommendation and the IRS has developed\n                  a plan to ensure all Other Applications are correctly mapped\n                  to General Support Systems as part of its new certification\n                  and accreditation approach.\n                  3. Establish a formal process to monitor accreditations and\n                     report noncompliance, as needed, to the Deputy\n                     Commissioners to ensure accreditations are completed.\n                  Management\xe2\x80\x99s Response: The Chief, Mission Assurance,\n                  agreed with this recommendation and has implemented a\n                  process that requires all accreditation memoranda to be\n                  returned to his office and provides the IRS Deputy\n                  Commissioners with a report of systems not accredited on\n                  an annual basis.\n\n\n\n\n                                                                      Page 10\n\x0c                The Certification and Accreditation of Computer Systems\n               Should Remain in the Computer Security Material Weakness\n\n                                                                                        Appendix I\n\n\n                      Detailed Objective, Scope, and Methodology\n\nThe overall objective of this review was to determine whether the Internal Revenue Service\n(IRS) has effectively resolved vulnerabilities associated with its computer security material\nweakness. The IRS has segregated this material weakness into nine areas, one of which covers\nthe certification and accreditation of computer systems. To accomplish our objective, we:\nI.     Determined if the applications in the revised master inventory have been appropriately\n       categorized.\n       A. Evaluated the criteria used for categorizing systems and applications into the four\n          categories (General Support Systems, Major Applications, Applications of Interest,\n          and Other Applications).\n       B. If any systems were miscategorized, determined the reasons why.\nII.    Determined if certification requirements established for each of the four categories were\n       appropriate.\n       A. Identified the specific certification requirements for each of the four categories.\n       B. Evaluated the certification requirements for each category to determine whether\n          adequate security was reflected for each category. If any categories had insufficient\n          certification requirements, we determined the reason why.\nIII.   Determined how the revised certification and accreditation approach and system\n       inventory count affected the material weakness definition and assessed the current status\n       of the material weakness.\nIV.    Assessed the certification and accreditation process in terms of the general coverage of\n       certification testing, the identification of security vulnerabilities, and the compliance with\n       accreditation requirements.\nV.     Determined how many systems had been certified and accredited. For systems not\n       certified or accredited, we held discussions with Office of Mission Assurance staff to\n       determine the reasons why.\n\n\n\n\n                                                                                              Page 11\n\x0c               The Certification and Accreditation of Computer Systems\n              Should Remain in the Computer Security Material Weakness\n\n                                                                                Appendix II\n\n\n                           Major Contributors to This Report\n\nMargaret E. Begg, Assistant Inspector General for Audit (Information Systems Programs)\nSteve Mullins, Director\nKent Sagara, Audit Manager\nMary Jankowski, Senior Auditor\nThomas Nacinovich, Senior Auditor\nJoan Raniolo, Senior Auditor\nCharles Ekholm, Auditor\n\n\n\n\n                                                                                         Page 12\n\x0c               The Certification and Accreditation of Computer Systems\n              Should Remain in the Computer Security Material Weakness\n\n                                                                         Appendix III\n\n\n                                Report Distribution List\n\nCommissioner C\nOffice of the Commissioner \xe2\x80\x93 Attn: Chief of Staff C\nDeputy Commissioner for Operations Support OS\nChief Information Officer OS:CIO\nDirector, Certification Testing, Evaluation and Assessment OS:MA:CT\nDirector, Modernization and Systems Security Engineering OS:MA:M\nDirector, Portfolio Management OS:CIO:R:PM\nChief Counsel CC\nNational Taxpayer Advocate TA\nDirector, Office of Legislative Affairs CL:LA\nDirector, Office of Program Evaluation and Risk Analysis RAS:O\nOffice of Management Controls OS:CFO:AR:M\nAudit Liaisons:\n       Chief Information Officer OS:CIO\n       Chief, Mission Assurance OS:MA\n\n\n\n\n                                                                               Page 13\n\x0c                   The Certification and Accreditation of Computer Systems\n                  Should Remain in the Computer Security Material Weakness\n\n                                                                                                   Appendix IV\n\n\n                  Summary of the Certification and Accreditation Process\n\nThe following description is derived from the Guide for the Security Certification and\nAccreditation of Federal Information Systems, National Institute of Standards and Technology\n(NIST) Special Publication 800-37 (dated May 2004).1 It is a brief summary of steps an agency\nshould take in completing a certification and accreditation.\nThe evaluation of security controls to enable a decision on whether to place a computer system\ninto operation is known as certification. Steps to certify a computer system include:\n    1. Review the system security plan and confirm that the contents of the plan are consistent\n       with an initial assessment of risk.\n    2. Notify concerned agency officials as to the need for security certification and\n       accreditation; determine the resources needed to carry out the effort; and prepare a plan to\n       execute the security certification and accreditation activities, including a proposed\n       schedule and key milestones.\n    3. Independently analyze security categorizations, obtain an independent analysis of the\n       system security plan, update as needed based on the results of the independent analysis,\n       and obtain acceptance of the system security plan by the authorizing official and senior\n       agency information security officer.2\n    4. Gather supporting information needed for the assessment (system requirements and\n       design documents, security control implementation evidence, etc.). Evaluate the security\n       controls and document results of the evaluation in a security assessment report.\n    5. Provide the certification agent with the security assessment report, update the system\n       security plan as needed, assemble the final security accreditation package, and submit it\n       to the authorizing official.\nThe senior agency official\xe2\x80\x99s authorization to place a computer system into operation based on the\ncertification evaluation is known as accreditation. Steps to accredit a computer system include:\n\n\n\n\n1\n  The NIST, under the Department of Commerce, is responsible for developing standards and guidelines, including\nminimum requirements, for providing adequate information security for all Federal Government agency operations\nand assets. NIST Special Publication 800-37 provides guidelines for executive agencies to help achieve more secure\ninformation systems within the Federal Government.\n2\n  NIST supplemental guidance states that a non-independent self-assessment may be used for low-impact systems.\nAdditional guidance relating to low-impact systems is also provided on other steps in the certification and\naccreditation process, generally allowing for a streamlined process and indicating that independence is not required.\n                                                                                                            Page 14\n\x0c            The Certification and Accreditation of Computer Systems\n           Should Remain in the Computer Security Material Weakness\n\n1. Determine residual risk to operations or assets based on vulnerabilities and any planned\n   or completed corrective actions to reduce vulnerabilities, determine if the actual residual\n   risk is acceptable, and prepare the final security accreditation decision letter.\n2. Transmit the final security accreditation package to the appropriate individuals and\n   organizations and update the system security plan with the latest information from the\n   accreditation decision.\n\n\n\n\n                                                                                        Page 15\n\x0c The Certification and Accreditation of Computer Systems\nShould Remain in the Computer Security Material Weakness\n\n                                                           Appendix V\n\n\n     Management\xe2\x80\x99s Response to the Draft Report\n\n\n\n\n                                                               Page 16\n\x0c The Certification and Accreditation of Computer Systems\nShould Remain in the Computer Security Material Weakness\n\n\n\n\n                                                           Page 17\n\x0c The Certification and Accreditation of Computer Systems\nShould Remain in the Computer Security Material Weakness\n\n\n\n\n                                                           Page 18\n\x0c The Certification and Accreditation of Computer Systems\nShould Remain in the Computer Security Material Weakness\n\n\n\n\n                                                           Page 19\n\x0c The Certification and Accreditation of Computer Systems\nShould Remain in the Computer Security Material Weakness\n\n\n\n\n                                                           Page 20\n\x0c The Certification and Accreditation of Computer Systems\nShould Remain in the Computer Security Material Weakness\n\n\n\n\n                                                           Page 21\n\x0c'